ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [openpgp] Deprecating SHA1

2020-10-24 20:19:44
from [Phil Pennock] [Permanent Link] 
On 2020-10-24 at 09:57 +0100, Jonathan McDowell wrote:

On Fri, Oct 23, 2020 at 03:23:17PM -0400, Phil Pennock wrote:

    gpg --expert --cert-digest-algo SHA256 --sign-key $YourKeyId


I'm one of the people with a SHA1 self signature. I've been aware of it
for some time, and it's been on my todo list to sort out, but when I
last tried GPG did not make it possible. What version of GPG is
necessary for the above to work? The somewhat aged versions on the
airgapped machine my master key lives on do not seem to want to update
the type of the self sig with that command.


[ not to list-cop, just to make sure that I'm not blindly taking this
  down a rat-hole not germane to the IETF list, since I'm the one who
  raised GnuPG in the first place: ]
Since this affects the ease of a deprecation, I'm considering this
on-topic enough for me to reply here; if the follow-ups are specific to
GnuPG, then gnupg-users might be a better mailing-list?  If it's about
the real-world practicalities of migrating and the impact on IETF
standardization then perhaps not.

I see commit messages about "Honor --cert-digest-algo when recreating a
cert." from 2012:

  commit 2b3cb2ee94625498e7a7f939216c9bcddef6ec20
  Author: David Shaw
  Date:   Tue Jan 31 21:30:05 2012 -0500

  commit 60c58766aeb847b769372fa981f79abac6014500
  Author: Christian Aistleitner
  Date:   Sun Oct 14 20:30:20 2012 +0200

Using `git tag --contains $COMMIT_SHA`, it looks like gnupg-2.1.0
onwards include it.  If memory serves, there's an "odd minor is dev,
even minor is release" pattern used here, so 2.2 would have been the
first "real release" even though lots of places had 2.1 packaged.

<https://gnupg.org/download/> has an EOL table; GnuPG 1.4 is dead-end
with no support for modern algorithms; 2.0 started on 2006-11-11 and
reached EOL on 2017-12-31.  GnuPG 2.2 cites 2014-11-06.

If the modern GnuPG approach to partitioning up the work in managing a
keyring is of concern, then I suspect Neal will be happy to help with a
migration to Sequoia PGP.  :)

-Phil

_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [openpgp] Deprecating SHA1, Phil Pennock
Next by Date:  Re: [openpgp] Deprecating SHA1, Peter Gutmann
Previous by Thread:  Re: [openpgp] Deprecating SHA1, Jonathan McDowell
Next by Thread:  Re: [openpgp] Deprecating SHA1, Neal H. Walfield
Indexes:  [Date] [Thread] [Top] [All Lists]